Commentary
Modernized security critical to consumer privacy
Local governments face mounting pressure to adopt the new technology needed to deliver the best digital customer experience possible. Constituents’ expectations have to be balanced with another high priority: protecting the confidentiality and privacy of information about the citizens the government entities serve. In recent years, a perfect storm of challenging conditions has formed as municipalities expanded their online services; new threats, such as ransomware, emerged; and budgets tightened. As a result of these conflicting pressures, today’s attackers have more potential points of entry into sensitive government data.
To further complicate the government landscape, new privacy legislation such as the California Consumer Privacy Act, which goes into effect in 2020, pushes on an even wider open door. Many government entities are well prepared to meet new privacy requirements; however, the daunting job of safeguarding private data is never finished. While few governments have the same resources as their private sector counterparts, the legal responsibility and public expectations about protecting confidential data are the same.
It is not unusual to find a local government’s IT organization juggling the demands of 30 or more installed security products. These products often complicate consumers’ online experiences, which creates frustration for those that cities and counties serve.
Disturbing incidents such as the ransomware-triggered weeklong shutdown of the City of Atlanta’s IT systems brings real-world clarity to these issues. As the president of a security solutions company, I want to say that the solution is not necessarily new technology. Rather, the answer centers on making existing solutions better fit the demands of the new online-driven, privacy-oriented world.
Accumulating data, the new gold, leads to opportunities for those who can monetize it and others who intend to abuse it. The volume and value of data available on government sites creates such an enticingly rich target that few attackers can resist. In addition, the growing prevalence of shadow IT, the practice of government staff using non-standard and unapproved technical solutions to mask the weaknesses inherent in approved tools and services, creates new and unprotected vulnerabilities that often fly under IT’s radar.
In addition, monolithic legacy technologies, aging programs that have been institutionalized into the operations of local governments, often lack the robust security infrastructure needed to thwart today’s sophisticated attackers. Consider, for example, the use of PKI or S/MIME technology to secure email. Aside from the known limitations of handling large files and being used in an ad hoc manner, the technology’s underlying architecture is flawed. The use of static key pairs (asymmetric encryption) allows tenacious attackers to access valuable data. This vulnerability also risks any stored email, all of which can be opened at an attacker’s leisure. Even more frightening, neither the intended recipient nor the sender would be aware that their data had been compromised.
Using more modern symmetric encryption methods can solve this vulnerability at the message level where each data packet is secured with a unique set of credentials. Security-oriented innovations that eliminate passwords or codes after a first communication can combine to create a new level of security and convenience.
For governments and the public, email is a preferred communications platform; it is universally available, familiar to all, non-proprietary and very easy to use. Were you to solve the three most well-known limitations of email – security, handling larger files and maintaining an audit trail – it can become the first and most inclusive choice for 21st century communications.
Modern security applications build on email’s substantial advantages by solving these three known problems, further simplifying its use and replacing more costly alternatives. The same secure servers that handle email can use simple APIs (application programming interfaces) to send and receive all types of confidential files as well. The only requirement to exchange data securely is a standard valid email address – no tokens, no special software and no user training. These modern security applications deliver ROI quickly and their short installation times can be seen as a win-win for cities and counties as well as their hard-pressed security teams and for the general public.
Mark Forrest is Chief Executive Officer (CEO) of Cryptshare AG and President of its U.S. subsidiary, Cryptshare, Inc, provider of a secure communication solution for the exchange of business sensitive information. For more information, visit www.cryptshare.com. Reach Mark at [email protected].
